void sim_debug_output (const char *format,void *p,const char *file,const char *func,unsigned int line, ...){ va_list args; int len,len1; char tempbuf[TXT_BUF_SIZE]; char *buf; char *pbuf = NULL; if (ossim.log.level == G_LOG_LEVEL_DEBUG){ va_start (args, line); len = snprintf (NULL,0,"%p:%s:%s:%u => ",p,file,func,line); len1 =vsnprintf (NULL,0,format,args); va_end (args); if ((len+len1+2)<(TXT_BUF_SIZE)){ buf = tempbuf; }else{ if (( pbuf = buf = malloc (len+len1+2)) == NULL){ g_warning ("Can't allocate memory to send log message\n"); abort (); } } if (buf != NULL){ len = snprintf (buf,len+1,"%p:%s:%s:%u => ", p, file, func, line); va_start (args,line); len1 = vsnprintf (&buf[len],len1+1,format,args); //g_message (">>>> len:%u len1:%u",len,len1); //buf[len1+len] = '\0'; ossim_debug ("%s", buf); } if (pbuf) free (pbuf); va_end (args); } }
gchar* sim_event_get_alarm_insert_clause (SimDatabase *db_ossim, SimEvent *event, gboolean removable) { gchar time[TIMEBUF_SIZE]; gchar *timestamp=time; GString *query; GdaConnection *conn; gchar *e_alarm_stats = NULL; g_return_val_if_fail (SIM_IS_EVENT (event), NULL); conn = sim_database_get_conn (db_ossim); if(event->time_str) timestamp=event->time_str; else strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time)); guint efr = event->priority * event->reliability * 2; //this is used for compliance. The "*2" is to take a percentage if (event->alarm_stats) e_alarm_stats = sim_str_escape (event->alarm_stats, conn, 0); ossim_debug ( "%s: risk_c:%f, risk_a:%f", __func__, event->risk_c, event->risk_a); query = g_string_new ("REPLACE INTO alarm " "(event_id, backlog_id, corr_engine_ctx, timestamp, plugin_id, plugin_sid, " "protocol, src_ip, dst_ip, src_port, dst_port, " "risk, efr, similar, removable, stats) VALUES ("); g_string_append_printf (query, "%s", sim_uuid_get_db_string (event->id)); g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->backlog_id)); g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_engine_get_id (event->engine))); g_string_append_printf (query, ",'%s'", timestamp); g_string_append_printf (query, ",%d", event->plugin_id); g_string_append_printf (query, ",%d", event->plugin_sid); g_string_append_printf (query, ",%d", event->protocol); g_string_append_printf (query, ",%s", (event->src_ia) ? sim_inet_get_db_string (event->src_ia) : "NULL"); g_string_append_printf (query, ",%s", (event->dst_ia) ? sim_inet_get_db_string (event->dst_ia) : "NULL"); g_string_append_printf (query, ",%d", event->src_port); g_string_append_printf (query, ",%d", event->dst_port); g_string_append_printf (query, ",%d", ((gint)event->risk_a > (gint)event->risk_c) ? (gint)event->risk_a : (gint)event->risk_c); g_string_append_printf (query, ",%u", efr); g_string_append_printf (query, ",IF('%s'<>''", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : "")); g_string_append_printf (query, ",'%s'", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : "")); g_string_append_printf (query, ",SHA1('%s'))", sim_uuid_get_db_string (event->id)); g_string_append_printf (query, ",%d", removable); g_string_append_printf (query, ",'%s')", e_alarm_stats ? e_alarm_stats : ""); g_free (e_alarm_stats); return g_string_free (query, FALSE); }
/** * sim_db_update_backlog: * @database: a #SimDatabase * @backlog: a #SimDirective * * Updates @backlog in @databse */ void sim_db_update_backlog (SimDatabase *database, SimDirective *backlog) { gchar *query = NULL; query = sim_directive_backlog_get_update_clause (backlog); ossim_debug ("%s: query= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); }
gboolean sim_event_set_sid (SimEvent *event) { gchar *device_ip; gchar *sensor_device; guint sid; g_return_val_if_fail (SIM_IS_EVENT (event), FALSE); ossim_debug ("%s: Setting (sid) for event->id=%s", __func__, sim_uuid_get_string (event->id)); if (event->device) { device_ip = sim_inet_get_canonical_name (event->device); sensor_device = g_strdup_printf ("%s/%s/%s", sim_uuid_get_string (event->sensor_id), event->interface, device_ip); g_free (device_ip); } else sensor_device = g_strdup_printf ("%s", sim_uuid_get_string (event->sensor_id)); sid = sim_container_get_sensor_sid (ossim.container, sensor_device); if (!sid) // First event for this sid, so we must insert the sensor to the database { // Insert it to db as the old way (but now it's cached). sid = sim_organizer_snort_sensor_get_sid (ossim.dbsnort, event->sensor_id, event); sim_container_add_sensor_sid (ossim.container, sensor_device, sid); ossim_debug ("%s: not from cache: sid: %u", __func__, sid); } else { ossim_debug ("%s: from cache: sid: %u", __func__, sid); g_free (sensor_device); } event->device_id = sid; return TRUE; }
/** * sim_db_insert_backlog: * @database: a #SimDatabase * @backlog: a #SimDirective * * Insert @backlog in @database */ void sim_db_insert_backlog (SimDatabase *database, SimDirective *backlog) { gchar *query = NULL; g_return_if_fail (SIM_IS_DATABASE (database)); g_return_if_fail (SIM_IS_DIRECTIVE (backlog)); query = sim_directive_backlog_get_insert_clause (backlog); ossim_debug ("%s: query= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); }
/** * sim_db_insert_dummy_backlog_event: * @database: a #SimDatabase * @event: a #SimEvent * */ void sim_db_insert_dummy_backlog_event (SimDatabase *database, SimEvent *event) { gchar *query, *values; g_return_if_fail (SIM_IS_DATABASE (database)); g_return_if_fail (SIM_IS_EVENT (event)); values = sim_directive_dummy_backlog_event_get_values_clause (event); query = g_strdup_printf("INSERT INTO backlog_event VALUES %s", values); ossim_debug ("%s: query = %s", __func__, query); sim_database_execute_no_query (database, query); g_free (values); g_free (query); }
SimEvent * sim_event_new (void) { SimEvent *event; GString *st; gint i; event = g_slice_new0 (SimEvent); sim_event_init (event); st = g_string_new (""); for (i = 0; i < N_TEXT_FIELDS; i++) { g_string_append_printf (st, "%s%s", sim_text_field_get_name (i), (i != (N_TEXT_FIELDS - 1)) ? "," : ""); } event->sql_text_fields = g_string_free (st, FALSE); ossim_debug ("sim_event_instance_init"); event->signature = 0xdeadbeef; event->type = SIM_EVENT_TYPE_NONE; event->log = NULL; //The agent should always write a date/time field in the events, so it's not necesary to initialize time, time_str, diff_time and tzone // event->protocol = SIM_PROTOCOL_TYPE_NONE; event->condition = SIM_CONDITION_TYPE_NONE; event->asset_src = VOID_ASSET; event->asset_dst = VOID_ASSET; event->store_in_DB = TRUE; //we want to store everything by default event->can_delete= FALSE; // It has to be processed by 2 threads before destruction event->is_correlated = FALSE; //local mode event->correlation = EVENT_MATCH_NOTHING; event->belongs_to_alarm = FALSE; //this is send across network event->policy= NULL; //DON'T release memory for this variable!!!! (the data inside belongs to Container) event->context = NULL; event->engine = NULL; return event; }
/** * sim_db_insert_host_mac: * * Insert 'host mac' event in @databse */ void sim_db_insert_host_mac (SimDatabase *database, SimInet *inet, gchar *date, gchar *mac, gchar *vendor, gchar *interface, SimInet *sensor, SimUuid *context_id) { gchar *query; gchar *vendor_esc; g_return_if_fail (SIM_IS_DATABASE (database)); g_return_if_fail (SIM_IS_INET (inet)); g_return_if_fail (date); g_return_if_fail (mac); g_return_if_fail (interface); g_return_if_fail (sensor); // we want to insert only the hosts defined in Policy->hosts or inside a network from policy->networks // if((sim_container_get_host_by_ia(container,ia) == NULL) && (sim_container_get_nets_has_ia(container,ia) == NULL)) // return; vendor_esc = g_strescape (vendor, NULL); query = g_strdup_printf ("INSERT INTO host_mac (id, ctx, sensor, date, mac, vendor, interface) " "SELECT id, %s, %s, '%s', '%s', '%s', '%s' FROM host WHERE ip = %s and ctx = %s LIMIT 1", sim_uuid_get_db_string (context_id), sensor ? sim_inet_get_db_string (sensor) : "NULL", date, mac, (vendor_esc) ? vendor_esc : "", interface, sim_inet_get_db_string (inet), sim_uuid_get_db_string (context_id)); g_free (vendor_esc); ossim_debug ("%s: query: %s", __func__, query); sim_db_execute_query (database, query); g_free (query); }
/** * sim_db_insert_backlog_event: * @database: a #SimDatabase * @backlog: a #SimDirective * @event: a #SimEvent * * Insert @backlog @event in @databse */ void sim_db_insert_backlog_event (SimDatabase *database, SimDirective *backlog, SimEvent *event, gint level) { gchar *query; g_return_if_fail (SIM_IS_DATABASE (database)); g_return_if_fail (SIM_IS_DIRECTIVE (backlog)); g_return_if_fail (SIM_IS_EVENT (event)); query = sim_directive_backlog_event_get_insert_clause (backlog, event, level); ossim_debug ("%s: query= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); }
/** * sim_db_insert_alarm: * @database: #SimDatabase * @event: event alarm * @removable: if the alarm is removable or not (it'll be removable only if it's finished/reached timeout). * * This is usefull if the event has the "alarm" flag. This can occur for example if the event has * priority&reliability very high and it has been converted automatically into an alarm. Also, this can occur * if the event is a directive_event which has been re-inserted into container from sim_correlation. * * we also assign here an event->id (if it hasn't got anyone, like the first time the event arrives). * event->id is just needed to know if that event belongs to a specific backlog_id (a directive), so if * an event is not part of an alarm, it hasn't got any sense to fill event->id. * */ void sim_db_insert_alarm (SimDatabase *database, SimEvent *event, gboolean removable) { gchar *insert; g_return_if_fail (SIM_IS_DATABASE (database)); g_return_if_fail (SIM_IS_EVENT (event)); ossim_debug ("%s with id %s", __func__, sim_uuid_get_string (event->id)); insert = sim_event_get_alarm_insert_clause (database, event, removable); sim_database_execute_no_query (database, insert); g_free (insert); return; }
/** * sim_db_insert_event: * @database: a #SimDatabase * @event: a #SimEvent to insert * * This function gets an event-> id and insert the event into DB. */ void sim_db_insert_event (SimDatabase *database, SimEvent *event) { gchar *query = NULL; g_return_if_fail (SIM_IS_DATABASE (database)); g_return_if_fail (SIM_IS_EVENT (event)); if (event->is_stored) { ossim_debug ("%s: Duplicate insert event->id: %s", __func__, sim_uuid_get_string (event->id)); return; } ossim_debug ("%s: Storing event->id = %s event->is_stored = %u", __func__, sim_uuid_get_string (event->id), event->is_stored); query = sim_event_get_insert_clause (event); ossim_debug ("%s: query= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); if (event->src_username || event->dst_username) { query = sim_event_idm_get_insert_clause (sim_database_get_conn (database), event); ossim_debug ("%s: idm_data query_values= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); } if (event->data || event->log || event->binary_data) { query = sim_event_extra_get_insert_clause (sim_database_get_conn (database), event); ossim_debug ("%s: extra_data query_values= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); } if (g_hash_table_size (event->otx_data) > 0) { query = sim_event_pulses_get_insert_clause (sim_database_get_conn (database), event); ossim_debug ("%s: otx_data query_values= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); } event->is_stored = TRUE; }
void sim_db_update_plugin_sid (SimDatabase *database, SimDirective *directive, SimUuid *uuid) { SimPluginSid *plugin_sid = NULL; gchar *query; g_return_if_fail (SIM_IS_DATABASE (database)); g_return_if_fail (SIM_IS_DIRECTIVE (directive)); g_return_if_fail (SIM_IS_UUID (uuid)); plugin_sid = sim_plugin_sid_new_from_data (SIM_PLUGIN_ID_DIRECTIVE, sim_directive_get_id (directive), 1, sim_directive_get_priority (directive), sim_directive_get_name (directive)); query = sim_plugin_sid_get_insert_clause (plugin_sid, uuid); ossim_debug ("%s: %s", __func__, query); sim_database_execute_no_query (database, query); g_object_unref (plugin_sid); g_free (query); }
static void _sim_event_free (SimEvent *event) { ossim_debug ("%s: Id %s, Device_id %u", __func__, sim_uuid_get_string (event->id), event->device_id); if (event->id) g_object_unref (event->id); if (event->src_ia) g_object_unref (event->src_ia); if (event->dst_ia) g_object_unref (event->dst_ia); if (event->src_net) g_object_unref (event->src_net); if (event->dst_net) g_object_unref (event->dst_net); if (event->src_id) g_object_unref (event->src_id); if (event->dst_id) g_object_unref (event->dst_id); if (event->sensor) g_object_unref (event->sensor); if (event->sensor_id) g_object_unref (event->sensor_id); if (event->device) g_object_unref (event->device); g_free (event->interface); g_free (event->server); if (event->servername) g_free (event->servername); g_free (event->sql_text_fields); g_free (event->value); g_free (event->data); if (event->role) sim_role_unref (event->role); if (event->policy) g_object_unref (event->policy); g_free (event->time_str); if (event->log) g_string_free (event->log, TRUE); g_free (event->alarm_stats); g_free (event->filename); //no needed to check, g_free will just return if "filename" is NULL g_free (event->username); g_free (event->password); g_free (event->userdata1); g_free (event->userdata2); g_free (event->userdata3); g_free (event->userdata4); g_free (event->userdata5); g_free (event->userdata6); g_free (event->userdata7); g_free (event->userdata8); g_free (event->userdata9); g_free (event->rulename); if (event->src_username) g_hash_table_unref (event->src_username); g_free (event->src_username_raw); if (event->dst_username) g_hash_table_unref (event->dst_username); g_free (event->dst_username_raw); g_free (event->src_hostname); g_free (event->dst_hostname); g_free (event->src_mac); g_free (event->dst_mac); g_free (event->str_rep_act_src); if(event->rep_act_src) g_hash_table_unref (event->rep_act_src); g_free (event->str_rep_act_dst); if(event->rep_act_dst) g_hash_table_unref (event->rep_act_dst); g_free (event->buffer); if (event->groupalarmsha1) g_free (event->groupalarmsha1); if (event->binary_data) g_free (event->binary_data); if (event->context) g_object_unref (event->context); if (event->engine) g_object_unref (event->engine); g_slice_free (SimEvent, event); }